Sneaky Microsoft add-on puts Firefox users at risk

CWmike writes: An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves that browser open to attack, Microsoft's security engineers acknowledged earlier this week. One of the 13 security bulletins Microsoft released Tuesday affects not only IE, but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago. "While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox." The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site.

Google Chrome

[rakslice]

This presumably also affects users of Google Chrome under Windows, as Chrome quietly hunts down and uses a wide variety of plugins installed in other browsers including the WPF plugin. At least in Firefox you can actually turn plugins off within the browser.

Firefox 3.5

[slack_justyb]

This plugin doesn't seem to work in Firefox 3.5. I keep getting a not compatible with Firefox 3.5.3 message by the plugin. I guess the solution to the problem is to upgrade? Anyone else getting a different result with this plugin on Firefox 3.5.3?